Good day Everyone, my name is George Samuel from Nigeria.I'm a second year student studying Cyber security science in the Federal University of Technology of Akure,Nigeria. I choose Digital Forensics to be my best choice of cyber security and still a beginner. I'm analyzing a data-leakage case.

I want to recover Users password from the data-leakage case. I got the SAM file of the Registry hive but am unable to locate the syskey,i checked almost all the directories and folder but couldn't locate it.I only came across syskey.exe.I'm using Autopsy 4.6.0 to analyze the forensic image and access data registry viewer to analyze the registry files but it requires that syskey should be loaded with the SAM file when i wanted to check if a particular user set a password protection and also the NT hash, LM hash,old LM hash and Old NT hash values...i would be glad if someone could help explain how i can extract the syskey for the password recovery.Thanks.

It seems like you are looking for a "Syskey" file (or possibly Registry key).

There isn't any.

"Syskey" is actually a Boot Key (Startup Key) generated by the Syskey.exe and stored inside the SYSTEM registry backing file, but it is not an actual key, but it is actually "scrambled into subkeys of the following registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"

One alternative is to boot the image as a VM, then break in by creating a separate account (using a copy of the original image, not the original!) or an exploit (i.e. modifying the windows installation to spawn a command prompt), run volatility, dump the credentials and then crack em. Everything would be open as a book in memory for the taking.

As i said, do this against a COPY of the disk image as this would be an active measure which will change the evidence on disk.

Which IMHO is not exactly the easiest thing to do, though P2V tools exist, of course, it remains something that remains complex (as a matter of fact I believe that post-Windows 7 there are a lot of factors, besides the usual issues with Mass Storage drivers, that make it more complex than before ).

jaclaz
_________________- In theory there is no difference between theory and practice, but in practice there is. -